From cb5b90b7107cece88974a9ab9eacfda9f241f320 Mon Sep 17 00:00:00 2001
From: Jack Dockerty <jdockerty19@gmail.com>
Date: Wed, 7 Aug 2024 17:20:21 +0100
Subject: [PATCH 1/2] fix: do not skip signing with allow_anonymous

---
 core/src/services/gcs/core.rs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/core/src/services/gcs/core.rs b/core/src/services/gcs/core.rs
index 0b9e8ae84c94..dd163fb4eae8 100644
--- a/core/src/services/gcs/core.rs
+++ b/core/src/services/gcs/core.rs
@@ -112,9 +112,6 @@ impl GcsCore {
     }
 
     pub async fn sign<T>(&self, req: &mut Request<T>) -> Result<()> {
-        if self.allow_anonymous {
-            return Ok(());
-        }
         let cred = self.load_token().await?;
 
         self.signer

From 54c1ae8b438bfa212c0f974fc9f072922d58c7c6 Mon Sep 17 00:00:00 2001
From: Jack Dockerty <jdockerty19@gmail.com>
Date: Wed, 7 Aug 2024 17:35:15 +0100
Subject: [PATCH 2/2] feat: load_token handles allow_anonymous

---
 core/src/services/gcs/core.rs | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/core/src/services/gcs/core.rs b/core/src/services/gcs/core.rs
index dd163fb4eae8..445659302515 100644
--- a/core/src/services/gcs/core.rs
+++ b/core/src/services/gcs/core.rs
@@ -75,20 +75,24 @@ static BACKOFF: Lazy<ExponentialBuilder> =
     Lazy::new(|| ExponentialBuilder::default().with_jitter());
 
 impl GcsCore {
-    async fn load_token(&self) -> Result<GoogleToken> {
+    async fn load_token(&self) -> Result<Option<GoogleToken>> {
         let cred = { || self.token_loader.load() }
             .retry(&*BACKOFF)
             .await
             .map_err(new_request_credential_error)?;
 
         if let Some(cred) = cred {
-            Ok(cred)
-        } else {
-            Err(Error::new(
-                ErrorKind::ConfigInvalid,
-                "no valid credential found",
-            ))
+            return Ok(Some(cred));
         }
+
+        if self.allow_anonymous {
+            return Ok(None);
+        }
+
+        Err(Error::new(
+            ErrorKind::ConfigInvalid,
+            "no valid credential found",
+        ))
     }
 
     fn load_credential(&self) -> Result<Option<GoogleCredential>> {
@@ -112,11 +116,13 @@ impl GcsCore {
     }
 
     pub async fn sign<T>(&self, req: &mut Request<T>) -> Result<()> {
-        let cred = self.load_token().await?;
-
-        self.signer
-            .sign(req, &cred)
-            .map_err(new_request_sign_error)?;
+        if let Some(cred) = self.load_token().await? {
+            self.signer
+                .sign(req, &cred)
+                .map_err(new_request_sign_error)?;
+        } else {
+            return Ok(());
+        }
 
         // Always remove host header, let users' client to set it based on HTTP
         // version.